Hi Sandra, On Mon, Aug 31, 2015 at 4:20 PM, Sandra Murphy <sandy@xxxxxxxxxxx> wrote: > On Aug 27, 2015, at 5:59 PM, Russ Housley <housley@xxxxxxxxxxxx> wrote: > >> >> (3) In Section 11, we learn that the VLAN membership of all the >> RBridge ports in an LAALP MUST be the same. Any inconsistencies in >> VLAN membership may result in packet loss or non-shortest paths. >> Is there anything that can be added to the Security Considerations >> that can help avoid these inconsistencies? > > Interesting. In the trill draft I recently reviewed for secdir (draft-ietf-trill-aa-multi-attach) it makes a similar statement that VLAN membership had to be consistent across all ports on all RBridges in a LAALP. In that draft, the consistency meant the VLANs could be left out of the protocol packet. Did you see my response to your secdir review which I send 3 days ago? > All enabled VLANs MUST be consistent on all ports connected to an > LAALP. So the enabled VLANs need not be included in the AA-LAALP- > GROUP-RBRIDGES TRILL APPsub-TLV. They can be locally obtained from > the port attached to that LAALP. > > I wondered if the LAALP was responsible for ensuring the consistency. If it is left to the operator configuration, that’s tough. Turns out there’s a dynamic VLAN registration protocol (VRP), but I could not discover that it is doing a consistency check. > > If the draft you are looking at implies inconsistency is a possibility, then it must be that neither the LAALP or VRP ensures the consistency. As per my previous response to you, as far as I know all existing LAALPs are proprietary MC-LAG implementations and how they maintain consistent VLAN enablement on the TRILL switch LAALP ports is out of scope for the TRILL protocol. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@xxxxxxxxx > —Sandy